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Introduction 


HERBERT LIN and AMY ZEGART 


In March 2016 we held a two-day research workshop on the strategic use of 
offensive cyber operations. The workshop brought together distinguished 
researchers from academia and think tanks as well as current and former 
policymakers in the Department of Defense (DoD) and the U.S. intelligence 
community. All discussions and papers were unclassified. 

We organized the workshop for two reasons. First, it was already evi¬ 
dent then—and is even more so now—that offensive cyber operations were 
becoming increasingly prominent in U.S. policy and international security 
more broadly. Second, despite the rising importance of offensive cyber op¬ 
erations, academics and analysts were paying much greater attention to cyber 
defense than to cyber offense. Consequently, key issues such as the concep¬ 
tual underpinnings, doctrine, operational assumptions, intelligence require¬ 
ments, organizational demands, and escalation dynamics of offensive cyber 
operations were understudied. 

On the increasing prominence of offensive cyber operations for the United 
States, consider the following: 
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The deployment and use of Stuxnet against Iranian centrifuges is widely 
credited with slowing Iran’s progress toward acquiring a nuclear weapon 
before it was discovered in 2010d 

Presidential Policy Directive 20 (PPD-20), which established U.S. policy 
for both offensive and defensive cyber operations, was leaked by Edward 
Snowden in 2013, and much of its content was described in news articles.^ 
According to the Guardians reporting, offensive cyber capabilities can be 
used broadly to advance “U.S. national objectives around the world.”^ 

The Department of Defense Cyber Strategy, released in April 2015, fo¬ 
cuses on “building capabilities for effective cybersecurity and cyber op¬ 
erations to defend DoD networks, systems, and information; defend the 
nation against cyberattacks of significant consequence; and support 
operational and contingency plansl'^ 

In a speech at Stanford University releasing the April 2015 cyber strat¬ 
egy, Secretary of Defense Ash Carter explicitly noted that one mission 
of the DoD is “to provide offensive cyber options that, if directed by the 
President, can augment our other military systems.”^ 

The DoD has publicly acknowledged using cyber weapons in its fight 
against the Islamic State of Iraq and Syria (ISIS). For example, in Febru¬ 
ary 2016 Secretary of Defense Carter said that U.S. Cyber Command is 
conducting offensive cyber operations to cause ISIS to “lose confidence 
in their networks, to overload their networks so that they can’t function, 
and do all of these things that will interrupt their ability to command 
and control forces.”^ He also noted that Cyber Command “was devised 
specifically to make the United States proficient and powerful in this 
tool of war.” In April 2016, Deputy Secretary of Defense Robert Work 
said, regarding ISIS, “We are dropping cyber bombs. We have never 
done that before,” and “Just like we have an air campaign, I want to have 
a cyber campaign.”^ 

During the 2016 presidential campaign, then-candidate Donald Trump 
promised to “make certain that our military is the best in the world in 
both cyber offense and defense.”* Trump argued in the same speech that 
“As a deterrent against attacks on our critical resources, the United States 
must possess the unquestioned capacity to launch crippling cyber counter¬ 
attacks. . . . America’s dominance in this arena must be unquestioned.” 
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On Inauguration Day the White House noted, “We will make it a prior¬ 
ity to develop defensive and offensive cyber capabilities at our U.S. Cyber 
Command.”^ 

• In March and April 2017 the New York Times published a number of 
articles describing U.S. efforts regarding certain “left-of-launch” ballistic 
missile defense methods targeting North Korea’s program,'® in particu¬ 
lar cyber methods for compromising a missile before launch. On the basis 
of what New York Times reporters David Sanger and William Broad 
believed to be an unusually high failure rate of North Korean missile 
tests, they concluded that the United States had been conducting a cyber 
campaign against the North Korean missile development program. 

• The Trump National Security Strategy of December 2017 states that 
“the United States will impose swift and costly consequences on foreign 
governments, criminals, and other actors who undertake significant ma¬ 
licious cyberactivities.”" 

More broadly, the attention paid to cybersecurity issues by policymakers 
has risen dramatically in the past few years. Cyber threats from China (for 
example, the 2015 theft of millions of records from the Office of Personnel 
Management), North Korea (the 2017 WannaCry ransomware attack that 
affected computers worldwide, including the United Kingdom’s National 
Health Service), Russia (the 2017 NotPetya ransomware attack against 
Ukrainian institutions, including parts of its critical infrastructure), and Iran 
(the 2012 attack against Saudi Aramco that destroyed 30,000 computers) 
have provided strong signals to policymakers that offensive cyber operations 
are powerful instruments of statecraft for adversaries as well as for the United 
States. Cyber-enabled information operations, such as the Russian interven¬ 
tion in the U.S. presidential election of November 2016, have further raised 
the profile of the relationship between cyberspace and national security. 

If recent history is any guide, the interest in using offensive cyber opera¬ 
tions is likely to grow. Already, there is robust discussion about whether the 
current requirement articulated in PPD-20 for “specific presidential ap¬ 
proval” of offensive cyber operations with significant consequences should 
be relaxed to allow greater delegation to theater combatant commanders. 
Strategically, greater receptivity to the use of offensive cyber operations may 
suggest that such operations could be the instrument of first military use 
if nonmilitary measures (diplomatic, economic, or legal measures) fail. 
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A logical consequence would also be continuing or expanded efforts to estab¬ 
lish a ubiquitous presence on possible cyber targets, an outcome discussed at 
greater length by Chris Inglis (chapter 2 in this volume). 

Other significant changes may also be in the offing. For example, greater 
receptivity to the use of offensive cyber operations may lead to a greater will¬ 
ingness to employ destructive or disruptive active defense measures, or to 
allow their use by the private sector in extremis. The U.S. government’s 
Vulnerabilities Equities Process, which determines whether software vul¬ 
nerabilities discovered by intelligence agencies should be disclosed to private 
sector vendors so that they can be patched, may also shift. Under the Obama 
administration, this process reportedly tilted toward disclosing vulnerabili¬ 
ties to companies. The rising use of offensive cyber operations may shift the 
calculus toward stockpiling vulnerabilities instead so that they can be used 
by the U.S. government in subsequent offensive operations. In addition, more 
open and vigorous support may be offered to efforts that promote exceptional 
access to encrypted files and communications for law enforcement and in¬ 
telligence agencies. 

Last, the elevation of U.S. Cyber Command from unified subcommand 
under U.S. Strategic Command to a full unified combatant command— 
mandated by Section 923 of the National Defense Authorization Act for 
FY 2017^^—occurred on May 4,2018.^^ The full operational implications of 
this organizational change will unfold over time, but it is possible that as a 
full unified combatant command. Cyber Command will have greater inde¬ 
pendent authority to conduct operations, both offensive and defensive, in 
cyberspace. 

The increasing prominence of offensive cyber operations as instruments 
of national policy alone would warrant serious research conducted by inde¬ 
pendent scholars at universities and think tanks in the same way that a 
great deal of research has been conducted on defense-related topics such as 
missile defense, nuclear strategy, and naval operations. Because these top¬ 
ics are important to national defense and international security, they are 
appropriate for independent scholars to study, if only because independent 
perspectives contribute to the overall body of useful knowledge on which 
policymakers can draw. 

To date, academics and analysts have paid much more attention to cyber 
defense than to cyber offense. One important reason underlying this imbal¬ 
ance is a high degree of classification about nearly every aspect of U.S. of¬ 
fensive cyber capabilities. Indeed, Michael Hayden, former director of both 
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the National Security Agency and the Central Intelligence Agency, has 
noted that, as recently as the early 2000s, even the phrase “offensive cyber 
operations” was classified. Not what it might mean, or what the targets would 
be, or what technologies would be involved—merely the phrase itself. 

High levels of classification and excessive secrecy are especially problem¬ 
atic when policymakers try to understand a new domain of conflict because 
secrecy inhibits learning across traditional boundaries, and new types of con¬ 
flict necessarily require learning across traditional boundaries. Again, quot¬ 
ing Hayden: 

Developing policy for cyberops is hampered by excessive secrecy 
(even for an intelligence veteran). I can think of no other family of 
weapons so anchored in the espionage services for their development 
(except perhaps armed drones). And the habitual secrecy of the intel¬ 
ligence services bled over into cyberops in a way that has retarded the 
development—or at least the policy integration—of digital combat 
power. It is difficult to develop consensus views on things that are 
largely unknown or only rarely discussed by a select few.^'* 

Thus we convened the 2016 workshop in large part to promote and dem¬ 
onstrate the realistic possibility of collaboration between government policy¬ 
makers and independent nongovernment researchers working on strategic 
dimensions of offensive cyber operations on an unclassified basis. Although 
over the years a few scholars have ventured into the realm of strategy and 
doctrine around offensive cyber operations without access to classified ma¬ 
terials, the vast majority have found it easier to stay away from the subject 
matter entirely. The result has been a deep loss for strategic thought and a 
stark contrast from the roles that key nongovernment researchers played in 
developing nuclear strategy during the Cold War.^^ 

For example, Bernard Brodie developed the fundamentals of deterrence 
by threat of retaliation as an essential underpinning for nuclear strategy and 
also the importance of a secure second-strike capability (that is, deliverable 
nuclear weapons that could survive a first strike by an adversary) for strategic 
stability.Herman Kahn introduced the key strategic notion of an escala¬ 
tion ladder as it might apply across the entire range of quite limited conven¬ 
tional conflict to all-out nuclear conflict.'^ Thomas Schelling and Morton 
Halperin developed influential theories for promoting arms control involving 
strategic nuclear weapons.^® 
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The workshop focused on strategic dimensions of offensive cyber opera¬ 
tions, which can be used across a wide range of scenarios and for a wide range 
of purposes. Tactical uses of a weapon (cyber or otherwise) focus on short¬ 
term, narrow goals—how to defeat the adversary in the next village tomorrow. 
Strategic uses of weapons, by contrast, focus on longer-term, more overarching 
goals and are designed to affect the broader dynamics between potential 
adversaries both on and off the hot battlefield. 

Generally speaking, offensive cyber activities compromise the confiden¬ 
tiality, integrity, or availability of information. An activity that affects the 
confidentiality of information is considered a “cyber exploitation,” while an 
activity that degrades the integrity or availability of information is consid¬ 
ered a “cyberattack.” In this volume we define offensive cyber operations more 
specifically as: the use of cyber capabilities for national security purposes in¬ 
tended to compromise the confidentiality, integrity, or availability of an ad¬ 
versary’s information technology systems or networks; devices controlled 
by these systems or networks; or information resident in or passing through 
these systems or networks. 

A good place to start thinking about offensive cyber operations in a stra¬ 
tegic context is to consider some of the unique characteristics of cyber weap¬ 
ons and their operation in cyberspace. 


• In cyberspace, instruments used to gather intelligence and inflict damage 
are difficult to distinguish. Because the same techniques are usually used 
to gain access to an adversary’s systems and networks for intelligence 
gathering and for causing harm, an adversary that detects a penetration 
cannot be certain of the penetrator’s intent and therefore may misperceive 
an attempted intelligence operation as an attack. 

• Offensive cyber operations act most directly on intangibles—information, 
knowledge, and confidence. To be sure, cyber operations can cause tangi¬ 
ble effects, as when the information in question is integral to the opera¬ 
tion of devices or equipment that affect the physical world. But offensive 
cyber operations are fundamentally deceptive in nature—at a tactical 
level, no cyberattack tells the user of a computer “click on this link and 
your computer will be compromised by a malicious adversary.” Human 
cognition is of course based on the availability of information—and if 
the humans involved doubt the provenance of the information avail¬ 
able to them, their concerns may well prompt them to assume the worst. 
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• The effectiveness of a cyber weapon is a very strong function of the target’s 
characteristics. In cyberspace, a small change in configuration of the tar¬ 
get machine, system, or network can often negate the effectiveness of a 
cyber weapon against it. This is not true with weapons in other physical 
domains. Any ship hit by a torpedo with a sufficiently large warhead will 
be damaged, whether the ship is made of wood or steel. Anything within 
the crater of a nuclear weapon will be destroyed, regardless of how it was 
built. The nature of target-weapon interaction with kinetic weapons can 
usually be estimated on the basis of physics experimentation and calcu¬ 
lation. Not so with cyber weapons. For offensive cyber operations, this 
extreme “target dependence” means that intelligence information on tar¬ 
get characteristics must be precise, high-volume, high-quality, current, 
and available at the time of the weapon’s use. 

• Interaction with the target in advance of an actual cyberattack on it is 
often a prerequisite for an attack’s success. That is, the attacker may have 
to prepare a cyber target well before the actual attack—for example, by 
surreptitiously installing a “back door” that will grant the attacker ac¬ 
cess at a later time for downloading a customized attack payload that 
takes into account new intelligence information that may then become 
available. 

• Military planning often involves drawing up lists of targets that are well 
known and understood—military bases, headquarters buildings, ammu¬ 
nition and fuel storage facilities, telecommunications facilities, and so 
on. By contrast, many targets in cyberspace can appear and disappear 
from the internet with the flick of a switch. 

These characteristics appear in the four interrelated themes explored by 
the chapters in this volume: (1) cyber strategy and doctrine for offensive use 
of cyber weapons, (2) operational considerations in using cyber weapons, 
(3) escalation dynamics and deterrence, and (4) the role and relationship of the 
private sector to offensive cyber operations. We selected these four themes 
because of their obvious importance to policymakers, because of their clear 
relevance to offensive operations in other domains, and because they will ad¬ 
vance our understanding about what is and is not different when it comes to 
the strategic effects and impacts of offensive cyber operations, both now and 
in the future. In the chapters that follow, contributors go both deep and 
broad. Some offer specific expertise about individual country challenges (such 
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as Adam Segal’s examination of China in chapter 13). Others take a broader 
view of a conceptual challenge (such as Henry Farrell and Charles Glaser in 
chapter 3). Still other chapters focus on technical dimensions of cyher capa¬ 
bilities and how they might be utilized for precise targeting (Steven Bel- 
lovin, Susan Landau, and Herbert Lin in chapter 11) or sabotaging a missile 
development program (Lin in chapter 7). Together, the chapters offer what 
we hope is a compelling and comprehensive view of many of the key techni¬ 
cal, political, historical, and legal dimensions of offensive cyber operations. 


Cyber Strategy and Doctrine 

Strategy and doctrine are foundational to achieving strategic effects of offen¬ 
sive cyber operations. In chapter 2, Chris Inglis sets the stage by examining 
the intelligence, surveillance, and reconnaissance (ISR) infrastructure needed 
to support an effective U.S. cyber strategy. He argues that ISR capabilities for 
cyberspace must be ubiquitous, real-time, and persistent. Capabilities must 
be ubiquitous because cyberspace is global, and the cyber targets that opera¬ 
tional plans call for attacking are potentially located anywhere. They must 
be real-time because up-to-the-minute information on target characteristics 
is almost certainly necessary for an offensive cyber operation to be success¬ 
ful. And they must be persistent because operational preparation of the 
cyber battlefield is time-consuming and it is not known in advance when a 
given offensive cyber operation may need to be executed. The aspirational 
goal for ISR to support cyber operations is that it enables offensive cyber 
operations to sprint from a standing start at any given moment. 

How should the United States choose between cyber and kinetic (or phys¬ 
ical) responses to cyberattacks? Since the early 2000s, the United States has 
made a variety of statements addressing some aspects of this question. The 
2004 National Military Strategy said explicitly that U.S. nuclear capabili¬ 
ties played an important role in deterring the use of weapons of mass de¬ 
struction or effect, including “cyberattacks on U.S. commercial information 
systems or attacks against transportation networks”^® that have a “greater eco¬ 
nomic or psychological effect than a relatively small release of a lethal 
agent.”^° The DoD’s 2015 Cyber Strategy specifically states that the United 
States will respond to cyberattacks against its interests “at a time, in a 
manner, and in a place of our choosing, using appropriate instruments of 
U.S. power and in accordance with applicable law.”^^ The 2018 Command 
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Vision for U.S. Cyber Command argues for a strategy of persistent engage¬ 
ment in cyberspace below the threshold of armed conflict. 

In chapter 3, Henry Farrell and Charles Glaser take a step back from 
these pronouncements. Their starting premise is that decisions about deter¬ 
rence and warfighting should be based on the effect a given U.S. attack will 
have, not the means by which that effect is produced. But, they note, percep¬ 
tions matter as well: adversaries may perceive different forms of retaliation 
that do equal damage as differently punishing and differently escalatory. In 
particular, kinetic damage may be perceived as “more serious” than compa¬ 
rable damage caused by a cyberattack, thus reducing the likelihood and 
value of kinetic retaliation for deterring and responding to cyberattacks. 

In chapter 4, Max Smeets and Herbert Lin review the March 2018 Com¬ 
mand Vision for U.S. Cyber Command. Superseding the Command Vision 
released in June 2015, the new document demonstrates a marked change in 
Cyber Command’s thinking and approach to engaging adversaries in cyber¬ 
space. Perhaps the most significant change is the acknowledgment that ad¬ 
versary cyber operations below the threshold of armed attack or the use of 
force (both terms recognized by the United Nations Charter) can still have 
strategic significance—smail actions can create iarge consequences. In large 
part, the new Command Vision is the result of the observation that previ¬ 
ous U.S. practices of restraint in cyberspace have not been sufficient to deter 
adversaries from below-threshold operations. The 2018 Command Vision ar¬ 
ticulates a new approach that is based on persistent engagement—that the 
United States must be willing to engage actively and affirmatively below the 
threshold if it is to compete successfully in cyberspace, and thus implicitly 
downplays the escalation risks inherent in a more active stance. Even the title 
of the 2018 Command Vision—“Achieve and Maintain Cyberspace 
Superiority”—sets up Cyber Command’s aspirational vision in cyberspace. 


Operational and Tactical Considerations 

Operational considerations are implicated in the strategic use of weapons in 
that they speak directly to how military forces are employed to gain mili¬ 
tary advantages over an adversary and thereby attain strategic goals. Such 
considerations focus on the design, organization, and conduct of major op¬ 
erations and in-theater campaigns. Of course, the borderless nature of cyber¬ 
space makes the definition of “in-theater” problematic, a point suggesting 
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that offensive cyber operations are themselves likely to be conducted 
without regard for national borders. 

An operation plan is a complete and detailed plan for military operations 
that would be executed upon receipt of appropriate orders for particular mil¬ 
itary contingencies. In 2013 the Guardian reported that PPD-20 called for 
the identification of “potential targets of national importance” where offen¬ 
sive cyber capabilities “can offer a favorable balance of effectiveness and risk 
as compared with other instruments of national power.”^^ Identification of 
such targets is analogous to the development of a target list for the Single 
Integrated Operating Plan for using strategic nuclear weapons, today known 
as OPLAN 8010, “Strategic Deterrence and Global Strike.” 

With the backdrop offered by PPD-20, Austin Long (chapter 5) uses the 
frame of nuclear planning processes to understand how strategic targeting 
using cyber weapons might occur, considering how the organizational pro¬ 
cesses used to plan for the use of nuclear weapons and to execute such plans 
could in fact be applied to cyber weapons as well. Long considers how and 
to what extent strategic infiuence emanating from an adversary complicates 
planning for strategic responses, in particular asking under what circum¬ 
stances strategic infiuence could be regarded as a strategic cyberattack. He 
also discusses whether the oft-mentioned clandestine nature of offensive 
cyber operations has an impact on deterrence, drawing an analogy to Cold 
War strategic electronic warfare as precedents for that possibility. 

In chapter 6, Martin Libicki considers the connection between tactics 
and the conduct of an extended cyber campaign that could have strategic 
impact. He notes that adversaries are likely to adapt as we conduct offensive 
cyber operations against them. Such adaptations could occur relatively 
quickly and may reduce the effectiveness of subsequent operations unless the 
initial operations are crafted carefully to minimize adversary opportunities 
to adapt. 

In chapter 7, Herbert Lin looks at some of the technical issues that a pro¬ 
gram of cyber-enabled sabotage might entail if it were conducted against a 
nation’s missile development program and considers its relevance to an op¬ 
erational ballistic missile defense. Although Lin’s piece is not based on any 
specific knowledge regarding any particular nation’s program, it is notewor¬ 
thy that press reports in 2017 described a U.S. program using various cyber 
means to disrupt and delay the North Korean missile development program. 
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Escalation Dynamics 

Escalation dynamics and deterrence refer to processes by which conflict can 
start, how smaller conflicts can grow into bigger ones, and how these pro¬ 
cesses can be interrupted to make the outbreak or escalation of conflict less 
likely. 

As one important example, intelligence collection—one of the primary 
functions of certain types of offensive cyber operations—can easily lead to 
misperceptions with escalatory implications. Consider, for example, the sen¬ 
sitivity of nations to the security of their nuclear capabilities, which are re¬ 
garded as the ultimate guarantor of their security against hostilities from 
other nations. Gathering intelligence that could shed light on an adversary’s 
intentions is often regarded as enhancing stability, since it can provide reas¬ 
surance about the putative intent of an adversary. But because it is often un¬ 
clear in the initial stages of an offensive cyber operation whether such an 
operation is intended to gather intelligence or to prepare the cyber battle¬ 
field (and because offensive cyber operations are likely to be used early in a 
conflict),cyber-enabled intelligence collection directed against nuclear 
command and control facilities—especially if noticed by an adversary dur¬ 
ing a crisis—maybe misinterpreted as a sign that a preemptive attack on its 
nuclear capabilities is imminent, and thus undermine nuclear stability. 

A second escalatory path may be the comingling of assets for command 
and control of nuclear and conventional forces. An adversary’s command and 
control assets are explicitly called out as a target for U.S. offensive cyber op¬ 
erations in the DoD Cyber Strategy;^"^ if the early phases of a conflict in¬ 
volve conventional forces (and hence the United States launches cyberattacks 
on the command and control assets for these forces), the adversary may well 
see such attacks as attempts to compromise the command and control of its 
nuclear forces—a perception that might lead to escalation of the conflict. 

A third factor in unintended escalation is an inappropriate scope and na¬ 
ture of the rules of engagement for the use of cyber weapons. One basic rule 
of engagement for offensive cyber operations appears to be articulated in 
PPD-20. According to public news reports, PPD-20 directs that cyber 
operations “reasonably likely to result in significant consequences require 
specific presidential approval" (emphasis added) where “significant conse¬ 
quences” are known to include loss of life, serious levels of retaliation, damage 
to property, adverse foreign policy consequences, or economic impact on the 
country. 
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A fourth factor that may drive escalation is public opinion and pressure 
on decision makers. Public opinion has certainly influenced decision mak¬ 
ers to go to war—a fact known since the outbreak of the Spanish-American 
War in 1898.^^ Even if such pressures themselves are insufficient by them¬ 
selves to cause war, they can create climates conducive to conflict escalation 
in which the perceived signiflcance of small incidents grows out of all pro¬ 
portion to its actual signiflcance—and there is no reason to suppose that con¬ 
flict in cyberspace would be an exception. 

Last, the use of a weapon that caused more damage than was intended 
by the attacker might cause unintended escalation of a conflict. Both PPD- 
20 and the DoD Cyber Strategy note that offensive cyber operations must 
be conducted in accordance with the laws of armed conflict (LOAC), just as 
all other U.S. military operations are conducted. To address issues of col¬ 
lateral damage, the DoD has established a “No-Strike and the Collateral 
Damage Estimation Methodology”^^ that requires commanders to compile 
a list of “no-strike entities” upon which kinetic or nonkinetic attacks would 
violate LOAC. Public reports also indicate that PPD-20 directs officials to 
weigh “the potential threat from adversary reactions” and “the risk of retali¬ 
ation,” both considerations in managing risks of escalation. Such consider¬ 
ations would help to shape the establishment of a restricted target list com¬ 
prising valid military targets that for non-LOAC considerations, such as 
escalation, should not be attacked in certain specifled ways. Mission-speciflc 
rules of engagement (also known as supplementary rules of engagement) 
account for no-strike entities and restricted targets. 

These examples of possible escalatory pressures ground the discussion of 
the book’s third theme—escalation dynamics in cyberspace—to which six 
chapters are devoted. 

First, Jason Healey (chapter 8) examines historical case studies and flnds 
that cyber conflict is more often escalatory than not. According to his analy¬ 
sis, U.S. cyber actions often lead to misinterpretations and overreactions by 
adversaries, resulting in those states increasing their own cyber capabilities 
as a result of fear in what might be called strategic escalation or the cyber 
manifestation of the security dilemma.Thus, he argues, an open display of 
offensive cyber capabilities—advocated by many as a measure supporting 
deterrence—is likely to inflame relationships between states as a result of 
“worst-case” judgments on both sides. 

Erik Gartzke and Jon Lindsay (chapter 9) raise another important ques¬ 
tion regarding escalation dynamics. Motivated by press reports regarding 
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U.S. attempts to compromise the North Korean missile development pro¬ 
gram and noting that cyher capabilities depend on concealing information 
about cyber vulnerabilities from the other side, they argue that if the latter 
has nuclear capabilities its confidence in its ability to use those capabilities 
may be excessively high, and that it will be less likely to back down in a 
crisis—thus increasing the likelihood that nuclear war will break out. They 
further distinguish between offensive cyber operations used for preventative 
counterproliferation and for preemptive counterforce, the former extending 
over a longer period of time than the latter. The persistence of such opera¬ 
tions over longer times increases the likelihood that those operations will 
themselves be compromised, an outcome that would tend to undermine the 
further effectiveness of a preventive operation and increase the possibility 
that those operations could be used for preemption. 

Michael Gross, Daphna Canetti, and Dana Vashdi (chapter 10) focus on 
the psychological harm and consequential impact of offensive cyber opera¬ 
tions on public confidence in important national institutions, noting espe¬ 
cially how the mystique and omniscience associated with cyber operations 
affect the risk perception of civilians and how access to the internet has 
become a prima facie requirement for realizing certain basic human rights, 
both of which open new avenues for cyber terrorism. They observe in experi¬ 
ments that in the face of hostile cyber activity, many citizens reevaluate their 
confidence in public institutions and increase their support for harsh mili¬ 
tary responses, tendencies that may well increase public pressures for cyber 
or even kinetic escalation. 

Steven Bellovin, Susan Landau, and Herbert Lin (chapter 11) point out 
that with appropriate intelligence in hand, cyberattacks can be designed 
and conducted in a way that limits damage to the intended targets: discrimi¬ 
nating cyber weapons are technically possible. The chapter also addresses 
technical means for limiting the proliferation of cyber weapons that could 
otherwise occur, a factor that can mitigate the security dilemma in 
cyberspace. 

C. Robert Kehler, Herbert Lin, and Michael Sulmeyer (chapter 12) 
provide an overview of how the DoD normally conceptualizes such rules of 
engagement, but without reference to PPD-20. They note that the U.S. 
military seeks as much as possible to integrate cyber weapons into its opera¬ 
tional toolkit within a common framework of principles that apply to all 
weapons, and that, from the DoD perspective, principles that inform rules of 
engagement for traditional kinetic weapons can and do inform rules 
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of engagement that govern cyberspace operations as well. Nevertheless, 
several characteristics of operations in cyberspace and the use of cyber capa¬ 
bilities complicate the formulation of cyber-specific rules of engagement, 
including the borderless geography and range of effects possible on the 
internet, ambiguity of adversary intent arising from the difficulty of distin¬ 
guishing between intelligence gathering for reconnaissance and preparation 
for attack, and difficulties of attribution in cyberspace. A paucity of histori¬ 
cal experience with cyber operations in a military context will hamper the 
formulation of rules of engagement for cyber weapons; consequently, special 
efforts should be made to impart experience (such as might be developed 
through war gaming and tabletop exercises) to the appropriate leaders and 
commanders. 

Finally, Adam Segal (chapter 13) offers a possible case study addressing 
the escalation potential of U.S. offensive cyber operations in a China-U.S. 
military confrontation. Segal notes that while China is increasingly a target- 
rich environment from both tactical and strategic perspectives, the use of 
offensive cyber operations against these targets is likely to be highly escala- 
tory. Complications will arise from differing conceptions of deterrence and 
crisis management, a lack of transparency into the political control of cyber 
forces, and an expansive view of competition in cyberspace. Yet neither the 
United States nor China will eschew the use of offensive cyber operations, a 
point suggesting the importance of both sides considering measures that re¬ 
duce the likelihood of escalation from tactical to strategic attacks under¬ 
taken through cyber means. 


The Role of the Private Sector in Offensive Cyber Operations 

The private sector is an important part of cyberspace. Unlike other physical 
domains, private actors in cyberspace can significantly influence the nature, 
execution, and prospects for success of offensive operations. It is uncontestable 
that cyber weapons are available to private actors, but the policy implications 
of such availability are controversial and widely debated. Each of the three 
chapters in this section tackles a different dimension of the private sector’s 
role in cyberspace. 

David Aucsmith (chapter 14) argues that because governments are inca¬ 
pable of defending cyberspace for all denizens, private parties must have the 
capability to defend themselves—a capability that necessarily includes the 
ability to inflict harm on attackers. However, the existing legal regime lim- 
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its the actions private organizations can pursue in cyber defense. A variety 
of changes to the existing legal regime would allow private companies to take 
actions consistent with the self-defense constraints of necessity, proportion¬ 
ality, and immediacy, and improve an organization’s ability to both defend 
itself and attribute actions to the aggressors. Lucas Kello (chapter 15) comes 
to the opposite conclusion in his chapter. Kello grants that the potential de¬ 
fensive and other benefits of cyber weapons in this role are significant, yet 
he finds that the risks to defenders, innocent third parties, and international 
conflict stability are greater. 

Finally, in chapter 16, Irv Lachow and Taylor Grossman explore the crit¬ 
ical roles that companies play in supporting offensive cyber operations, in¬ 
cluding intelligence/reconnaissance and planning and mission support for 
such operations. Cyber contractors provide U.S. and other militaries access 
to rapidly evolving technologies and necessary human talent. At the same 
time, the use of such contractors has international ramifications. For exam¬ 
ple, the availability of cyber contractors may affect the balance of power of 
states, as effective offensive cyber capabilities become available to nations 
willing to simply buy them. Cyber contractors involved in offensive cyber 
operations may face some uncertainties about their international legal sta¬ 
tus. And because their services are in principle available to any party will¬ 
ing to pay for them, a contracting company may find itself on both sides of 
a cyber operation. 


Conclusion 

It is only within the last few years that the Department of Defense has 
designated cyberspace a domain of conflict, and many policymakers are 
struggling with how best to integrate offensive cyber capabilities with other 
instruments of military and national power. Taken as a whole, the chapters 
in this volume suggest that thinking about offensive cyber operations as in¬ 
struments of national policy need not require de novo construction. Indeed, 
many of the questions and issues that attend to the strategic dimensions of 
offensive cyber operations arise in other kinds of military operations. How¬ 
ever, because the cyber domain is unlike other domains of conflict in impor¬ 
tant ways, it is not surprising that some of the answers and responses to 
these questions and issues in the cyber domain are different. More clearly 
delineating what’s new and what isn’t in offensive cyber operations is an 
important step forward. 
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